AmazonServiceException: User is not authorized to perform: dynamodb:DescribeTable Status Code: 400; Error Code: AccessDeniedException

Kurt Wagner picture Kurt Wagner · Jul 15, 2014 · Viewed 22.3k times · Source

I had originally thought that this issue was due to mismatching regions, but after changing the region, I'm still coming across the following error when trying out an Amazon AWS sample found here:

DynamoDBMapper

 AmazonServiceException: User: arn:aws:sts::[My Account
 ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession
 is not authorized to perform: dynamodb:DescribeTable on resource:
 arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service:
 AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;
 Request ID: BBFTS0Q8UHTMG120IORC2KSASVVV4KQNSO5AEMVJF66Q9ASUAAJG)

Everything is more or less the same, the only things I've changed have been changing the DBclient region to US_EAST_1, where my test table is hosted and modifying the Constants file using the info from the 'Amazon Cognito Starter Code' page that is generated through following the Cognito get started documentation.

sdkforandroid-cognito-auth

For my Cognito_AndroidAppUnauth_DefaultRole role policy I modified the default mobile analytics and sync service permission to also include access of all actions on all tables, existing or not:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CognitoPolicy",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DynamoDBPolicy",
            "Effect": "Allow",
            "Action": [
                "dynamodb: *"
            ],
            "Resource": "*"
        }
    ]
}

So why is it claiming that it doesn't have permission when the correct region is used and the Unauth policy should allow for table access?

EDIT: Stacktrace when calling a method on the DynamoDB resource (create table), should it prove useful

   com.amazonaws.AmazonServiceException: User: arn:aws:sts::[My Account ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: SDELNSMLO10EV7CM2STC1R9RU3VV4KQNSO5AEMVJF66Q9ASUAAJG)
            at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(Unknown Source)
            at com.amazonaws.http.AmazonHttpClient.executeHelper(Unknown Source)
            at com.amazonaws.http.AmazonHttpClient.execute(Unknown Source)
            at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke(Unknown Source)
            at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.createTable(Unknown Source)
            at com.amazonaws.demo.userpreferencesom.DynamoDBManager.createTable(DynamoDBManager.java:72)
            at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:99)
            at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:85)
            at android.os.AsyncTask$2.call(AsyncTask.java:288)
            at java.util.concurrent.FutureTask.run(FutureTask.java:237)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
            at java.lang.Thread.run(Thread.java:841)

Answer

Kurt Wagner picture Kurt Wagner · Jul 15, 2014

Worked with an Amazon engineer and it turns out the problem was in the policy configuration:

"dynamodb: *"

should be

"dynamodb:*"

It's amazing what a space can do.